Register for the iXsystems Community to get an ad-free experience

How to [Update] Installing clamAV in its own jail

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

ghostwolf59

Contributor
Joined
Mar 2, 2013
Messages
165
Thought I share this with anyone interested...
The other day I decided to install clamAV *again* after rebuilding my freenas under 11.3-STABLE

Basis of what I've done was nicked from this thread (https://www.ixsystems.com/community/threads/how-to-install-clamav-on-freenas-v11.56790/) but since its old I thought I post what I've done under 11.3

1. Create your new clamav iocage jail as a root user on server level
iocage create -n clamav -r 11.3-RELEASE ip4_addr="vnet0|(your static ip for jail)/24" defaultrouter="your gateway ip" vnet="on" allow_raw_sockets="1" boot="on"

2. If jail wasnt started automatically, Start jail and open shell from within the jail

start jail.jpg


3. update /etc/pkg/FreeBSD.conf (change quarterly to latest)

The following is optional, but its easier since I personally prefer to work from Bitvise SSH Client (way better than putty ;) )
Its easy enough to disable this once done !
4. set root password
$passwd xyz (remember the password as this is needed once using a different ssh client)

5. edit /etc/ssh/sshd_config and unhash PermitRootLogin and set it to "yes" do the same with PasswordAuthentication and set the flag to "yes"

6. do
$sysrc sshd_enable=yes

7. do
$service sshd start

8. Close shell and login with direct using Bitwise SSH Client and take it from there...
i.e clamav jail ip address userid (root) and password previously setup

9. Once in the jail do
$pkg update && pkg upgrade -y

10. do
$portsnap fetch extract

11. do
$cd /usr/ports/ports-mgmt/portmaster

12. do
$make install clean

13. do
$cd /usr/ports/security/clamav

14. do
$make install clean

The following I prefer to do on server level, so exit out from the jail and start another ssh session as server level root user
15. Adding local directories of scantarget storage...
iocage exec clamav mkdir -p /mnt/scantarget # this is the root folder holding my mapped drives and folders
iocage exec clamav mkdir -p /mnt/scantarget/Accounts # this is one of my targets Id like to scan later
.
.
16. Create the script folder (to be mapped tp external *outside the jail itself* later
iocage exec clamav mkdir -p /mnt/script # this is where two shell scripts will reside mapped to an external location

17. Map your scantargets...
iocage fstab -a clamav /mnt/STORE01/Accounts /scantarget/Accounts nullfs rw 0 0
.
.
.

18. Map your external script folder to jail script folder
iocage fstab -a clamav /mnt/JailSSD/apps/clamav /script nullfs rw 0 0 # /mnt/JailSSD/apps/clamav needs exist prior

19. two shell scripts needs to be created and stored in /mnt/JailSSD/apps/clamav/
These two scripts will allow you to
1. Enable concurrent scan jobs to run without conflicts
2. pass subfolder to be scanned as a parameters into the job
Note: folder names containing spaces require the scantarget parameter to be surrounded by ""
i.e /mnt/JailSSD/apps/clamav/run_clamav_scan.sh "folder name with spaces"
3. Limit the virusdb to be updated once every 24 hours or if/when /var/log/clamav/freshclam-[yyyymmdd].log inside the clamav jail is missing

avscan.sh
Code:
#!/bin/sh

### Notes ###
## Shell scripts to update the ClamAV definations, then run a scan and prepare an email template ##
## This script is called from a master script running as a cron job on the FreeNAS server ##
## Master script is: run_clamav_scan.sh  ##
##
## Instructions: ##
## 1) To use this you need to create a Jail called "ClamAV" ##
## 2) Open a Shall to the jail and then run: "pkg update" ##
## 3) The run: "pkg install clamav" ##
## 4) You can then "exit" the Jail ##
## 5) Add the windows shares you wish to scan by using the Jail Add Storage feature ##
## 5a) Add the shares to same location you use in the variable: "scanlocation" ##
## 6) Setp a cronjob on the FreeNAS server to run a shell script on the FreeNAS server: "run_clamav_scan.sh" ##
## 7) The shell script "run_clamav_scan.sh" then connects to the Jail and runs this script. ##
## 8) Once finished, the "run_clamav_scan.sh" script emails a log to the email entered in the variable: "to_email" ##
##
## https://www.clamav.net/ ##
## ClamAV® is an open source (GPL) anti-virus engine used in a variety of situations including email scanning, web scanning, ##
## and end point security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command ##
## line scanner and an advanced tool for automatic database updates. ##

pid=${1}
#echo "pid argument ${pid}"

targetdir=${2}
#targetdir=${@}
#echo "targetdir ${targetdir}"

## Top directory of the files/directories you wish to scan, i.e. the "Jail Add Storage" locations ##
scanlocation="/scantarget/${targetdir}"


### Parameters ###
## update email address ##
to_email="your_email@address"

NOW=$(date "+%Y%m%d")
### Only Update anti-virus definitions once per day identified by date ###
## Look for existing freshclam.log for todays date - if found, ignore updating the virus def
## If NOT found, clean up any old freshclam-*.log files stored on the system and re-created it along with fresh virus def
file="/var/log/clamav/freshclam-${NOW}.log"
if [ ! -f "$file" ]
then
    echo "$0: File '${file}' not found."
    ## Clean up old clam files and create a fresh up to date version
    f=0
    for file in /var/log/clamav/freshclam*.log
    do
        if [ -f "$file" ]
        then
            rm -f $file
            ((f++))
        fi
    done
    echo "number of files removed: $f"
    echo "creating a new freshclam"
    freshclam -l /var/log/clamav/freshclam-${NOW}.log
fi   
#freshclam -l /var/log/clamav/freshclam${pid}.log
### End ###

echo "scan starting targetting ${scanlocation}"

### Run the anti-virus scan uniquely identified by pid ###
started=$(date "+ClamAV Scan started at: %Y-%m-%d %H:%M:%S")
clamscan -i -r -l /var/log/clamav/clamscan${pid}.log "${scanlocation}"
finished=$(date "+ClamAV Scan finished at: %Y-%m-%d %H:%M:%S")
### End ###

### prepare the email - pid makes the file unique ###
## Set email headers ##
(
    echo "To: ${to_email}"
    echo "Subject: ${started}"
    echo "MIME-Version: 1.0"
#    echo "Content-Type: text/html" ## does not work with 11.3 for now
    echo -e "\\r\\n"
) >> /tmp/clamavemail${pid}.tmp

## Set email body ##
(
    echo "<pre style=\"font-size:14px\">"
    echo ""
    echo "scantarget ${scanlocation}"
    echo ""
    echo "${started}"
    echo ""
    echo "${finished}"
    echo ""
    echo "--------------------------------------"
    echo "ClamAV Scan Summary pid ${pid}"
    echo "--------------------------------------"
    tail -n 8 /var/log/clamav/clamscan${pid}.log
    echo ""
    echo ""
    echo "--------------------------------------"
    echo "freshclam log file"
    echo "--------------------------------------"
    tail -n +2 /var/log/clamav/freshclam-${NOW}.log
    echo ""
    echo ""
    echo "--------------------------------------"
    echo "clamav log file"
    echo "--------------------------------------"
    tail -n +4 /var/log/clamav/clamscan${pid}.log | sed -e :a -e '$d;N;2,10ba' -e 'P;D'
    echo "</pre>"
) >> /tmp/clamavemail${pid}.tmp

### Tidy Up ###
## Delete the freshclam log in preparation of a new log ##
#rm /var/log/clamav/freshclam-${NOW}.log ## Not required since file is created once per day i.e no need to refresh clam virus def for every run

## Delete the clamscan log in preparation of a new log ##
rm /var/log/clamav/clamscan${pid}.log
### End ###



run_clamav_scan.sh
Code:
#!/bin/sh

### Execute a shall script on the ClamAV jail, which updates the Anti-Virus definations and then runs a scan ###
## iocage = FreeNAS v11.1 and above (yes FreeNAS v11.1 supports both warden and iocage [via CLI]) ##

## Define the location where the "avscan.sh" shell script is located on the jail:
scriptlocation="/script/"

# Grab pid id from started process and sent it to tmp file so second process can pick it up

pid=$$
#echo "pid id ${pid}"

# Grab target directory parameter
scantarget=${@}


## Execute the script passing pid and target path ##
iocage exec clamav "$scriptlocation"avscan.sh "${pid}" "${scantarget}"

## email the log ##
sendmail -t < /mnt/JailSSD/iocage/jails/clamav/root/tmp/clamavemail${pid}.tmp

## Delete the log file ##
rm /mnt/JailSSD/iocage/jails/clamav/root/tmp/clamavemail${pid}.tmp



20. Change the permission on both these shell scripts to...
chown 0:0
chmod 500

21. The run_clamav_scan.sh script needs to be run on server root level *generally you setup a cron task to kick it off regularly
Cron Task:
cron_job.jpg



22. Thats it!

If you want to kick off the job manually, login as root on the server and do
$/mnt/JailSSD/apps/clamav/run_clamav_scan.sh "scan target folder name"
**** 'scan target folder name' as defined within the clamav jail scantarget or use the root folder name and append subfolder to limit the scan"

IF you dont what the keep the root access to clamav jail
1. edit /etc/ssh/sshd_config and unhash PermitRootLogin and set it to "no" do the same with PasswordAuthentication and set the flag to "no"
2. do
$sysrc sshd_enable=no

7. do
$service sshd restart


let me know if I missed something - Works pretty good for me, but noticed some issues when scanning large content *memory and timeout issues*, but this has nothing to do with the overall setup as far as I can see
 
Last edited:

Rajstopy

Dabbler
Joined
Dec 27, 2020
Messages
16
Thank you very much for this very helpful howto!

Everything is ok, except the script e-mailing. I don't understand at all how you can go from >> /tmp/clamavemail${pid}.tmp within the jail to sendmail -t < /mnt/JailSSD/iocage/jails/clamav/root/tmp/clamavemail${pid}.tmp on server side Must have missed something...

Cheers
 

Rajstopy

Dabbler
Joined
Dec 27, 2020
Messages
16
Thank you very much for this very helpful howto!

Everything is ok, except the script e-mailing. I don't understand at all how you can go from >> /tmp/clamavemail${pid}.tmp within the jail to sendmail -t < /mnt/JailSSD/iocage/jails/clamav/root/tmp/clamavemail${pid}.tmp on server side Must have missed something...

Cheers

Never mind.

This path needs to be customized to the /root/tmp on server side, within the jail filesystem.
 
Top